On Tue, May 29, 2012 at 04:32:23PM +0200, kalpesh thaker <[email protected]> wrote a message of 252 lines which said:
> we have been, and still are currently the victims of a terrible DNS > DOS amplification attack. ... > May 28 15:01:13 ns1 pdns[9603]: Not authoritative for 'filezilla.de > <http://filezilla.de>', sending servfail to 184.22.170.194 > (recursion was desired) Where is the amplification? A SERVFAIL response is not larger than the incoming request. Real amplification attacks query authoritative servers (with the domains they manage) or open recursors. > - setup IPtables with a chain to reject udp/tcp connections to port > 53 if they create more than 7 connections per second This requires connection tracking and could kill your machine if the server has many different clients (specially for UDP where "connections" are extremely short but Linux connection tracking remembers them for a long time). I prefer the hashlimit module, it still has state but much less, and it allows burstiness (this is very important on the public Internet): iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
